I'm guessing they've built the desktop client in JavaScript. One disadvantage of the language (and all similar ones!) is that the GC isn't deterministic. Without access to Node's gc() API, it's very hard to ensure the credentials are wiped from memory after locking.
I wonder if there's any difference if you use the option to sign in with Windows Hello using a TPM. What about logout vs lock?